This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Building consensus over DNSSEC enhancements to glibc.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: Paul Wouters <pwouters at redhat dot com>, Rich Felker <dalias at libc dot org>, Simo Sorce <simo at redhat dot com>, Petr Spacek <pspacek at redhat dot com>, libc-alpha at sourceware dot org
- Date: Thu, 19 Nov 2015 09:28:32 -0500
- Subject: Re: Building consensus over DNSSEC enhancements to glibc.
- Authentication-results: sourceware.org; auth=none
- References: <563CED63 dot 1070201 at redhat dot com> <20151106182835 dot GC3818 at brightrain dot aerifal dot cx> <563D0953 dot 9020707 at redhat dot com> <56407C19 dot 2080906 at redhat dot com> <20151109180310 dot GO3818 at brightrain dot aerifal dot cx> <5649A3F3 dot 2060309 at redhat dot com> <20151116161642 dot GQ3818 at brightrain dot aerifal dot cx> <564A0FED dot 9010408 at redhat dot com> <20151116181740 dot GS3818 at brightrain dot aerifal dot cx> <564A1E3E dot 5090703 at redhat dot com> <20151116182322 dot GU3818 at brightrain dot aerifal dot cx> <564AB3F9 dot 4020404 at redhat dot com> <564AC146 dot 1040305 at redhat dot com> <564AD51D dot 4040100 at redhat dot com> <564AE333 dot 9090200 at redhat dot com> <564B7A42 dot 6050603 at redhat dot com> <564BD6E6 dot 5040506 at redhat dot com> <564D5CAC dot 6040204 at redhat dot com> <564DDB9C dot 6080606 at redhat dot com>
On 11/19/2015 09:24 AM, Florian Weimer wrote:
> On 11/19/2015 06:22 AM, Carlos O'Donell wrote:
>> Dare I say that systemd-resolved might solve some of this already?
>
> Unfortunately, systemd-resolved caches far too aggressively and will
> poison its cache, even accidentally. Various parties have tried to
> explain this to the upstream developers, but have not succeeded.
> systemd-resolved should be safe to run behind a BIND 9 recursive server
> in non-forwarding mode, but not much else (I believe even Unbound is
> unsafe due to its last-resort message handling).
>
> systemd-resolved also does not handle exotic record types, I think, it
> is more an NSS-level solution than a libresolv-level solution.
>
> (An earlier attempt in this direction is lwresd, which is part of BIND 9.)
Thanks for that summary. I wasn't sure and had not checked.
Cheers,
Carlos.